In many organizations, especially for critical infrastructure, IT is responsible for the technical success of electronic security systems deployments. This question is from a security practitioner whose company had just hired a senior IT project manager who, for his previous employer, was the IT person in charge of physical security system technologies.
Q: Our new IT project manager reached out to me about collaborating on physical security technology, a role for him in his previous company. We rely on our integrator for everything except corporate networking. Where do I start and what do we talk about?
A: This is a fantastic opportunity for you and your company. You can let him set the initial discussion agenda, and as things progress, get your integrator involved.
Getting Started
You are about to establish an ongoing working partnership with IT, the extent of which will grow over time, at a pace that you, your IT project manager and your service provider (systems integrator) can be comfortable with. This collaboration is critically important, as today’s electronic physical security systems are based on information technology. They are also capable of providing information that is beneficial to other business functions than physical security, especially for business operations in retail, manufacturing, healthcare and many others. Thus IT, as the function responsible for business information systems, and for the corporate network and its usage, is a major stakeholder in the company’s electronic security systems deployment from multiple perspectives.
I would characterize that collaboration path something like this:
- Preparation
- Discovery
- Exploration
- Objectives
- Roadmap
The first two bullets will overlap a little, some preparation and then some discovery, more preparation and more discovery. Below is an approach that many companies have found to work well for such collaborations.
Preparation
There is probably more preparation to do on your part, as your IT project manager is already well-prepared for such discussions. Your first step is to let your IT colleague know that you are very interested in that collaboration and that you’d like to set up an appointment to meet (maybe lunch in a small conference room) in a week or so. This will give you a little time to prepare as described below.
System Documentation. Get your security system documentation current, or else clearly understand where it stands. When they do exist, most security system design documentation and engineering drawings are out of date. In contrast, most IT departments have their design documentation and engineering drawings current – and many use IT tools to keep digital models of their systems current automatically. You will win respect from IT if your documentation is up to date.
Cybersecurity for Physical Security Systems. If you have executed a plan for hardening your security systems, review it and update it if needed. If not, collect the cybersecurity hardening guides available for your security products and systems, starting here: http://bit.ly/phys-sec-hardening-guides. Review them to get an idea of what may be a high priority your collaboration regarding security system cyber protections.
Product Lifecycle Management. This is a standard IT practice. Do you have a record for all the deployed products including purchase date, installation date, vendor and service provider warranty dates, end-of-sales and end-of-support dates? Update it if you have one. If you don’t, this will be a collaboration item, as IT may be able to share some of the software that they use for product lifecycle management.
Discovery
Discover is a mutual action of finding out “where things stand” regarding the technology landscapes of IT and physical security. The preparation steps above will better enable you to share status information with IT. Let your new IT colleague know that you’d like to be briefed on his previous experience with physical security deployments and what lessons he has learned including regarding cybersecurity protections, and your company’s information technology roadmap.
In my experience, many physical security technology deployments suffer because they don’t follow the company’s policies and practices for deploying information technology. IT has them; security typically doesn’t know about them. This is another discovery item that you’d like to learn about.
Discovery is best done at an easy pace, measured in weeks unless there are urgent security system problems that need immediate attention from IT.
Exploration
Exploration is about considering the various ways in which IT can support physical security’s technology objectives, such as by security technology project management, and how security can benefit by applying the applicable policies and practices of IT. This is usually a good point to get your service provider (systems integrator) involved.
Objectives
At this point, your IT colleague may have some objectives of his own for the physical security technology infrastructure, and you may have some as well. Consider performing a cybersecurity risk assessment for the physical security systems infrastructure. If your facility physical security risk assessments are not up to date, that should be one of your objectives also.
Roadmap
Knowing where security system cybersecurity stands, and knowing where your physical security risks stand, puts you in a good position to develop a roadmap for security and IT collaboration regarding policies, practices, and security system improvements. A roadmap that covers your current objectives will have a timeline based upon what you are trying to accomplish in the time frames that you envision. That timeline will be driven by risk mitigation priorities, security operations objectives, and the likely availability of funding.
Security’s having a partner in IT will be an advantage, including for helping to make the business case for technology selections, improvements, and tech infrastructure management. IT will be able to increase the value that it brings to the organization, by helping to make physical security systems technologically current, more cost-effective and more security-effective. It’s a win-win-win situation for security, IT and the organization.
About the author: Write to Ray about this column at [email protected]. Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Ray is an active contributor to the educational activities ASIS IT Security and Physical Security councils. In 2018 IFSEC Global listed Ray as #12 in the world’s top 20 Security Thought Leaders. For more information about Ray and RBCS go to www.go-rbcs.com or call 949-831-6788. Ray is also a member of the Content Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com). Follow Ray on Twitter: @RayBernardRBCS.
© 2018 Ray Bernard
